Nixpkgs Security Tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Automatically generated suggestions

to queue a suggestion for refinement.

to remove a suggestion from the queue.

CVE-2024-21885
7.8 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 7 months, 3 weeks ago
Xorg-x11-server: heap buffer overflow in xisenddevicehierarchyevent

A flaw was found in X.Org server. In the XISendDeviceHierarchyEvent function, it is possible to exceed the allocated array length when certain new device IDs are added to the xXIHierarchyInfo struct. This can trigger a heap buffer overflow condition, which may lead to an application crash or remote code execution in SSH X11 forwarding environments.

Affected products

tigervnc
  • *
xwayland
  • <23.2.4
  • *
xorg-server
  • ==1.21.1.7
  • <21.1.11
  • *
xorg-x11-server
  • *
xorg-x11-server-Xwayland
  • *

Matching in nixpkgs

pkgs.tigervnc

Fork of tightVNC, made in cooperation with VirtualGL

CVE-2025-27288
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 8 months ago
WordPress File Icons Plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BjornW File Icons allows Reflected XSS. This issue affects File Icons: from n/a through 2.1.

Affected products

file-icons
  • =<2.1

Matching in nixpkgs

pkgs.vscode-extensions.file-icons.file-icons

File-specific icons in VSCode for improved visual grepping

CVE-2025-39438
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 8 months ago
WordPress Theme Changer plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery (CSRF) vulnerability in momen2009 Theme Changer allows Cross Site Request Forgery. This issue affects Theme Changer: from n/a through 1.3.

Affected products

theme-changer
  • =<1.3

Matching in nixpkgs

pkgs.gnomeExtensions.dm-theme-changer

Automatically change theme styles when dark mode is enabled or disabled.

  • nixos-unstable 4
    • nixos-unstable-small 4
    • nixpkgs-unstable 4

Package maintainers: 1

CVE-2024-22051
9.8 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 8 months ago
CommonMarker Integer Overflow Vulnerability

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.

Affected products

commonmarker
  • <0.23.4

Matching in nixpkgs

CVE-2025-39434
4.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): LOW
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): NONE
created 8 months ago
WordPress Avatar plugin <= 0.1.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.

Affected products

avatar
  • =<0.1.4

Matching in nixpkgs

pkgs.yunfaavatar

Utility for automatic centralized changing of avatar in Github, Discord, Steam, Shikimori, and many more

pkgs.kdePackages.libgravatar

Library that provides Gravatar support

pkgs.gnomeExtensions.gravatar

Synchronize GNOME Shell user icon with Gravatar.

  • nixos-unstable 6
    • nixos-unstable-small 6
    • nixpkgs-unstable 6

pkgs.haskellPackages.gravatar

Generate Gravatar image URLs

pkgs.haskellPackages.libravatar

Use Libravatar, the decentralized avatar delivery service

pkgs.rubyPackages.jekyll-avatar

pkgs.python311Packages.libgravatar

Library that provides a Python 3 interface for the Gravatar API

pkgs.python312Packages.libgravatar

Library that provides a Python 3 interface for the Gravatar API

pkgs.rubyPackages_3_1.jekyll-avatar

pkgs.rubyPackages_3_2.jekyll-avatar

pkgs.rubyPackages_3_3.jekyll-avatar

pkgs.rubyPackages_3_4.jekyll-avatar

pkgs.python311Packages.flask-gravatar

Small and simple integration of gravatar into flask

pkgs.python312Packages.flask-gravatar

Small and simple integration of gravatar into flask

pkgs.perl538Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

pkgs.perl540Packages.MojoliciousPluginGravatar

Globally Recognized Avatars for Mojolicious

pkgs.gnomeExtensions.user-avatar-in-quick-settings

Display the user avatar in the Quick Settings menu, part of the "System" settings

  • nixos-unstable 8
    • nixos-unstable-small 8
    • nixpkgs-unstable 8

Package maintainers: 13

CVE-2025-39436
9.1 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 8 months ago
WordPress I Draw <= 1.0 - Arbitrary File Upload Vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in aidraw I Draw allows Using Malicious Files. This issue affects I Draw: from n/a through 1.0.

Affected products

idraw
  • =<1.0

Matching in nixpkgs

pkgs.kanjidraw

Handwritten kanji recognition

pkgs.jitsi-excalidraw

Excalidraw collaboration backend for Jitsi

  • nixos-unstable 21
    • nixos-unstable-small 21
    • nixpkgs-unstable 21

pkgs.excalidraw_export

CLI to export Excalidraw drawings to SVG and PDF

pkgs.tests.pkg-config.defaultPkgConfigPackages.hidapi-hidraw

Test whether hidapi-0.14.0 exposes pkg-config modules hidapi-hidraw

  • nixos-unstable ???
    • nixos-unstable-small
    • nixpkgs-unstable

Package maintainers: 4

CVE-2025-27324
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 8 months ago
WordPress 17TRACK for WooCommerce Plugin <= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 17track 17TRACK for WooCommerce allows Reflected XSS. This issue affects 17TRACK for WooCommerce: from n/a through 1.2.10.

Affected products

17track
  • =<1.2.10

Matching in nixpkgs

CVE-2025-39580
5.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): NONE
  • Availability impact (A): NONE
created 8 months ago
WordPress Dashi <= 3.1.8 - Broken Access Control Vulnerability

Missing Authorization vulnerability in jidaikobo Dashi allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dashi: from n/a through 3.1.8.

Affected products

dashi
  • =<3.1.8

Matching in nixpkgs

pkgs.dashing

Dash Generator Script for Any HTML

pkgs.python311Packages.dashing

Terminal dashboards for Python

pkgs.python312Packages.dashing

Terminal dashboards for Python

Package maintainers: 1

CVE-2025-24655
7.1 HIGH
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): CHANGED
  • Confidentiality impact (C): LOW
  • Integrity impact (I): LOW
  • Availability impact (A): LOW
created 8 months ago
WordPress Wishlist Plugin <= 1.0.39 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Wishlist allows Reflected XSS. This issue affects Wishlist: from n/a through 1.0.39.

Affected products

wishlist
  • =<1.0.39

Matching in nixpkgs

pkgs.wishlist

Single entrypoint for multiple SSH endpoints

Package maintainers: 2

CVE-2025-32911
9.0 CRITICAL
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): CHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
created 8 months ago
Libsoup: double free on soup_message_headers_get_content_disposition() through "soup-message-headers.c" via "params" ghashtable value

A flaw was found in libsoup, which is vulnerable to a use-after-free memory issue not on the heap in the soup_message_headers_get_content_disposition() function. This flaw allows a malicious HTTP client to cause memory corruption in the libsoup server.

Affected products

libsoup
  • *
  • <3.6.3
libsoup3
mingw-freetype
  • *
spice-client-win
  • *

Matching in nixpkgs

pkgs.libsoup_3

HTTP client/server library for GNOME

pkgs.libsoup_2_4

HTTP client/server library for GNOME

pkgs.tests.pkg-config.defaultPkgConfigPackages."libsoup-gnome-2.4"

Test whether libsoup-2.74.3 exposes pkg-config modules libsoup-gnome-2.4

Package maintainers: 6